The Value Of STIR/SHAKEN For Inbound Calling
Originally published on Forbes.com
As of June 30, 2021, carriers are required by the Federal Communications Commission to deploy STIR/SHAKEN call authentication technologies to combat illegal caller ID spoofing. While much attention has been devoted to the technologies’ impact on outbound call centers — and most enterprises have been working with their carriers to deploy STIR/SHAKEN for their outbound calls — implementation of the framework for inbound operations is lagging. Nearly 90% of respondents to Neustar’s 2021 survey, conducted in March 2021, said their inbound call center analytics were not prepared to ingest STIR/SHAKEN data.
The STIR/SHAKEN framework is not a substitute for an inbound caller authentication solution, but it does offer contact centers an important additional data element to use in establishing trust with callers: a phone call’s attestation level.
Attestations are classified into three tiers. With full (A-level) attestations, the carrier originating the call declares that the caller is its customer, that it assigned the caller’s phone number and that the call originated on its network. With partial (B-level) attestations, the carrier confirms that the caller is its customer and that the call originated on its network, but it did not assign the number to the calling device. With gateway (C-level) attestations, the carrier asserts that it has no relation to the initiator of the call and that the call originated outside its network. A low level of attestation does not automatically mean a call is spoofed — international calls, for example, will also receive C-level attestations — but they do indicate that the call merits further analysis.
Attestations can provide contact centers with valuable information that not only makes it easier to identify trusted calls, but that also allows enterprises to focus their fraud-fighting efforts on calls that do not receive strong STIR/SHAKEN attestations.
Enterprises that wish to benefit from STIR/SHAKEN in their inbound operations should arrange to have their carriers and partners add STIR/SHAKEN data into the SIP headers of inbound calls. Some carriers may make this information available as part of an optional data service that requires an additional fee.
Expecting Fraudsters to Adapt
As STIR/SHAKEN improves the detection of spoofed calls, fraudsters are likely to adopt other phone-fraud tactics that do not rely on call spoofing, such as the use of virtual call services. In the industry, we’ve already seen criminals gravitate to virtual call services, with fraud attempts that use virtual apps rising sharply over the past 18 months. That volume is only expected to increase, and because calls from virtual apps are not spoofed, they receive high attestations levels.
Attestations can deliver useful information that helps contact centers establish the identity and authenticity of inbound callers, but it is not a substitute for an inbound caller authentication solution, which requires additional signals and analysis that help call centers stay ahead of fraudsters’ inevitable adaptation to the STIR/SHAKEN environment.
For example, rather than spoofing a customer number, a criminal could initiate a call from a virtual call service like Skype or Google Voice that is unrelated to the customer’s record and then use stolen personal information to correctly answer the agent’s challenge questions and trick them into granting access to the customer’s account. These calls look trustworthy, and because they don’t originate from unique physical devices, the fraudster will be impossible to trace. The problem has been significant enough to recently prompt Ofcom, the U.K. equivalent to the FCC, to have local phone networks block foreign-based virtual calls that pretend to be from within the U.K. Call centers need analytic solutions that can both identify these types of calls and stratify them based on risk level.
The Importance of Inbound Caller Authentication
The inability to determine a caller’s trustworthiness has long led many enterprises to limit interactive voice response options to low-value operations, forcing agents to deal with larger call volumes and requiring most callers — the vast majority of whom are legitimate customers — to undergo extensive identity interrogation before receiving assistance.
These issues can be eliminated if callers can be authenticated before reaching the IVR system or an agent. Pre-answer authentication allows contact centers to provide a consumer-friendly experience without increasing the risk of fraud.
When a caller uses a mobile phone or residential cable or landline, they can be identified and deterministically authenticated via their device, which is a faster and more secure process than traditional post-answer knowledge-based authentication. If the device data for the calling number match what is in the customer’s file, the inbound call center can trust that it is engaged in an authentic call with the customer — reducing the need for identity interrogation and leading to improved customer satisfaction and shorter average handle times.
When caller authenticity cannot be confirmed, the STIR/SHAKEN attestations level, calling history, call routing and other signals can then be used to stratify these callers by trust level, using probabilistic risk assessment. This approach gives call centers the means to handle high volumes of inbound calls safely and quickly.
To address this, organizations should start with an audit of their current inbound call processes. From there, it’s important to recognize the value in exploring the increasingly advanced options in the marketplace to best protect themselves while streamlining the customer experience.
Put simply, STIR/SHAKEN helps enterprises better identify the calls that should be trusted. Leveraging the STIR/SHAKEN framework together with pre-answer inbound caller authentication solutions can broaden your fraud protection, while, at the same time, improving the customer experience and increasing operational efficiency.